When Patients Fear EHR

When patients believe paper medical records are safer and more private than electronic ones, their health can suffer.

Many members of the public mistakenly believe electronic health records (EHRs) are less secure than paper files. Magnified by misinformation and political distortion of facts, an unnecessary fear has taken root in the minds of many consumers -- often with serious consequences.

While states were rolling out their health insurance exchanges last year, a key service provided by the federal hub Healthcare.gov was automatic verification of the application data an applicant entered. Applicants could choose automated or manual verification of their data. The public was unclear about the consequences of their decisions.

If applicants chose automated verification, their applications could be approved within seconds without needing any documentation. If they chose manual verification, their applications would get stuck in a case worker's queue. Workers would then contact the applicant, and require the applicant to bring various documentation to verify date of birth, citizenship, legal status, income, information regarding their family members, and various other things. Their health insurance application approval would be delayed by weeks or months.

While working at several health fairs throughout the state of Maryland last year, I had the opportunity to talk to people about this issue. Here's what I found out:

Consumers thought that by choosing manual verification they would avoid having their information in electronic format.

People did not realize the choice would cause a delay in the approval of their application.

People had a general fear of computers and electronic information.

I explained to them that their information eventually would be in electronic format, even if they used a paper application form. If they chose automated electronic verification, the system would query the appropriate systems as well as the federal hub, verify the information entered, and provide a decision on the application within seconds. On the other hand, if they chose manual verification, they would need to bring in various documents that would have to be copied, scanned, and retained. It could take them a long time to gather all the necessary documentation; meanwhile, they would continue to be uninsured.

I then explained that paper records are far less secure than electronic records because of the following:

When someone views a paper record, no one knows who saw it, for how long they saw it, or when they saw it; we do not even know if they were authorized to view the record.

We cannot scramble or encrypt the data.

We are unable to retain backup copies in multiple locations to ensure protection in cases of fire or water damage.

Multiple physicians or other providers cannot easily see their complete medical records in order to make a life-saving decision for them.

Information is often hard to decipher because of variations in handwriting.

With electronic records, people have the power to determine how their information can be used and shared. They have the right and ability to view their information as well as correct any inaccuracies in their records. Custodians of their information are obligated by law to adequately protect their information or face severe fines and penalties.

I shared anecdotes of how patients' lives were saved because complete and accurate information was electronically available simultaneously to multiple specialists residing in various states, so they could agree on the least risky and most appropriate medication. This enabled the right decision to be made the first time. A wrong decision would have resulted in the death of the patient.

I then explained that electronic medical records are more secure than paper because:

We know exactly who sees their information, when they see it, for how long they saw it, and if they were authorized to see it.

Even in cases where an unauthorized access has been made, we have a better chance of catching the perpetrator.

We can scramble the information through encryption; we can also obfuscate the information and store it in a shredded file format instead of a complete file format.

We can keep the information in various geographically dispersed locations, ensuring availability even in case of disaster.

People felt empowered with the knowledge. It was truly heart-warming for me to watch as smiles spread across people's faces once they recognized the power, the promise, and the higher level of safety of electronic medical records. Once their insurance applications were approved within seconds, many complete strangers got up, shook our hands, and gave us their warmest hugs.

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

Dr. Mansur Hasib is the only cybersecurity professional in the world with 12 years' experience as CIO; a Doctor of Science (DSc) in Cybersecurity; CISSP (cybersecurity); PMP (project management), and CPHIMS (healthcare) certifications, who has written two books on the ... View Full Bio

There seems to be a real lack of knowledge between healthcare customers -- patients -- and providers, in terms of data: How it's used, who has access to it, where it's stored, whether it can be shared, and so forth. Does anyone know of a reputable study regarding consumers' awareness of PHI "ownership and rules," so to speak, which seems to be a natural leapfrog off the topic of EHRs v. paper.

About 21% of US healthcare organizations do not even plan to have a cybersecurity officer within a year (see my previous article on this). Corporate boardrooms in other industries are also waking up to this as well. So things should start to improve. Public demand and holding organizations accountable as the HHS "Wall of Shame" will drive improvement. The healthcare sector has a long way to go in implementing proper cybersecurity. Just because some people and organizations have been doing a poor job implementing and using technology does not make technology bad.

I attend healthcare conferences where I listen to presentations from US and international researchers, scholars and doctors. I also talk to doctors and other practitioners who use EHRs and share with us their research and stories.

"Many members of the public mistakenly believe electronic health records (EHRs) are less secure than paper files." As far as I know, you are the first person in years to claim that EHRs are more secure than paper. And for good reason: They are not. The HHS "Wall of Shame" is filled with digital breaches - not paper. On April 8, the FBI warned that EHRs are becoming increasingly vulnerable to hackers. (See: "Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain").

Dr. Hasib, you say innovation is "already saving thousands of human lives." In 2005, RAND published the results of a study which predicted a savings of 100,000 lives and $77 billion a year from EHRs. However, by 2011, history had made it clear that the prediction (based on a heavily biased study) was completely false. Even RAND disowned it. On what evidence do you base your claim that "thousands are being saved?"

Medical errors are one of the leading causes of death in the USA but these errors are not caused by technology. They are caused by humans who are either not using technology or misusing technology. Similarly, cars do not cause accidents (except in cases of manufacturing defects) -- people do.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.